diff options
| -rw-r--r-- | src/backend/utils/adt/acl.c | 8 | ||||
| -rw-r--r-- | src/test/regress/expected/privileges.out | 32 | ||||
| -rw-r--r-- | src/test/regress/sql/privileges.sql | 25 |
3 files changed, 61 insertions, 4 deletions
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c index ea28da26a89..fd71a9b13e9 100644 --- a/src/backend/utils/adt/acl.c +++ b/src/backend/utils/adt/acl.c @@ -4852,10 +4852,6 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type, Form_pg_auth_members form = (Form_pg_auth_members) GETSTRUCT(tup); Oid otherid = form->roleid; - /* If we're supposed to ignore non-heritable grants, do so. */ - if (type == ROLERECURSE_PRIVS && !form->inherit_option) - continue; - /* * While otherid==InvalidOid shouldn't appear in the catalog, the * OidIsValid() avoids crashing if that arises. @@ -4864,6 +4860,10 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type, OidIsValid(admin_of) && !OidIsValid(*admin_role)) *admin_role = memberid; + /* If we're supposed to ignore non-heritable grants, do so. */ + if (type == ROLERECURSE_PRIVS && !form->inherit_option) + continue; + /* * Even though there shouldn't be any loops in the membership * graph, we must test for having already seen this role. It is diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out index 527c9d30a0b..bd3453ee914 100644 --- a/src/test/regress/expected/privileges.out +++ b/src/test/regress/expected/privileges.out @@ -2777,3 +2777,35 @@ SELECT COUNT(*) >= 0 AS ok FROM pg_shmem_allocations; RESET ROLE; -- clean up DROP ROLE regress_readallstats; +-- test role grantor machinery +CREATE ROLE regress_group; +CREATE ROLE regress_group_direct_manager; +CREATE ROLE regress_group_indirect_manager; +CREATE ROLE regress_group_member; +GRANT regress_group TO regress_group_direct_manager WITH INHERIT FALSE, ADMIN TRUE; +GRANT regress_group_direct_manager TO regress_group_indirect_manager; +SET SESSION AUTHORIZATION regress_group_direct_manager; +GRANT regress_group TO regress_group_member; +SELECT member::regrole::text, CASE WHEN grantor = 10 THEN 'BOOTSTRAP SUPERUSER' ELSE grantor::regrole::text END FROM pg_auth_members WHERE roleid = 'regress_group'::regrole ORDER BY 1, 2; + member | grantor +------------------------------+------------------------------ + regress_group_direct_manager | BOOTSTRAP SUPERUSER + regress_group_member | regress_group_direct_manager +(2 rows) + +REVOKE regress_group FROM regress_group_member; +SET SESSION AUTHORIZATION regress_group_indirect_manager; +GRANT regress_group TO regress_group_member; +SELECT member::regrole::text, CASE WHEN grantor = 10 THEN 'BOOTSTRAP SUPERUSER' ELSE grantor::regrole::text END FROM pg_auth_members WHERE roleid = 'regress_group'::regrole ORDER BY 1, 2; + member | grantor +------------------------------+------------------------------ + regress_group_direct_manager | BOOTSTRAP SUPERUSER + regress_group_member | regress_group_direct_manager +(2 rows) + +REVOKE regress_group FROM regress_group_member; +RESET SESSION AUTHORIZATION; +DROP ROLE regress_group; +DROP ROLE regress_group_direct_manager; +DROP ROLE regress_group_indirect_manager; +DROP ROLE regress_group_member; diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql index 5dae42c2a98..4ad366470d9 100644 --- a/src/test/regress/sql/privileges.sql +++ b/src/test/regress/sql/privileges.sql @@ -1788,3 +1788,28 @@ RESET ROLE; -- clean up DROP ROLE regress_readallstats; + +-- test role grantor machinery +CREATE ROLE regress_group; +CREATE ROLE regress_group_direct_manager; +CREATE ROLE regress_group_indirect_manager; +CREATE ROLE regress_group_member; + +GRANT regress_group TO regress_group_direct_manager WITH INHERIT FALSE, ADMIN TRUE; +GRANT regress_group_direct_manager TO regress_group_indirect_manager; + +SET SESSION AUTHORIZATION regress_group_direct_manager; +GRANT regress_group TO regress_group_member; +SELECT member::regrole::text, CASE WHEN grantor = 10 THEN 'BOOTSTRAP SUPERUSER' ELSE grantor::regrole::text END FROM pg_auth_members WHERE roleid = 'regress_group'::regrole ORDER BY 1, 2; +REVOKE regress_group FROM regress_group_member; + +SET SESSION AUTHORIZATION regress_group_indirect_manager; +GRANT regress_group TO regress_group_member; +SELECT member::regrole::text, CASE WHEN grantor = 10 THEN 'BOOTSTRAP SUPERUSER' ELSE grantor::regrole::text END FROM pg_auth_members WHERE roleid = 'regress_group'::regrole ORDER BY 1, 2; +REVOKE regress_group FROM regress_group_member; + +RESET SESSION AUTHORIZATION; +DROP ROLE regress_group; +DROP ROLE regress_group_direct_manager; +DROP ROLE regress_group_indirect_manager; +DROP ROLE regress_group_member; |